Create Self-Signed Certificates for HSM
About this task
Use the manageKeyCerts -create command to create a self-signed key certificate. Stop CM before you run this command.
Consider the following before you use this command:
- If the engine parameter is defined, a certificate is created on the HSM configured for that engine. If a netHSM is used and multiple engines access the netHSM, any of the engines can be specified to create the certificate on the HSM.
- If the engine uses a PCI module and it cannot be accessed by other engines, group the key certificates for that engine in a separate system certificate store. Those key certificates cannot be shared with other engines.
- If the engine parameter is not defined, and HSM support is enabled on CM, the key certificate is created on the HSM configured for CM. Make sure that engines that use this key certificate can access the HSM enabled for CM.
- If the engine parameter is not defined and HSM support is not enabled on CM, the key certificate is created on the Secure Proxy system certificate keystore.
To create a self-signed key certificate, type the following command:
manageKeyCerts -create [parameters]
Following are the parameters used to create a key certificate:
Parameter |
Description |
---|---|
certName |
Name of the key certificate on Secure Proxy. Required. |
certStore |
Name of the system certificate store where the key certificate will be stored. This field is optional. If the store does not exist, it is created. Default=dfltKeyStore. |
engine |
Name of the engine with access to the HSM. Optional. |
alias |
Alias for the key certificate on the HSM. Optional. If no value is defined, the alias defaults to certificate name. |
keySize |
Key size of the file to create. Valid values = 1024 | 2048 | 4096. Default=1024. |
CN |
Certificate common name. Required. If the name contains spaces, enclose the command and string in double quotes, for example "CN=my name". |
E-mail address. Optional. |
|
O |
Organization. Optional. If the value contains spaces, enclose the command in double quotes, for example, "O=my org". |
OU |
Organization unit. Optional. Repeat this parameter to specify more than one organization unit. If the value contains spaces, enclose the command in double quotes, for example, "OU=my unit". |
L |
Location (city). Optional. If the value contains spaces, enclose the command in double quotes, for example, "L=my location". |
ST |
State. Optional. If the value contains spaces, enclose the command in double quotes, for example, "ST=my state". |
C |
Two letter country code. Optional. |
daysValid |
How many days the key certificate is valid. Optional. Default=365. |
serial |
Serial number for the key certificate. Optional. Default=1. |
certSignBit |
Whether to set the certificate signing bit on in the key usage flags. Valid values = n | y| false | true. Default=n. |
replace |
Whether to replace a key certificate if a certificate with the same name already exists in the Secure Proxy system certificate store. Optional. Valid values = false | true. Default=false. |
systempass |
Passphrase for CM. |
adminid |
Administrator ID. Optional. Prompts if not defined. |
adminpass |
Administrator password. Optional. Prompts if not defined. |
keystorepass |
Keystore password. Optional. Prompts if not defined. For Safenet, the user PIN for the slot used by Secure Proxy. For Thales, the passphrase for the operator smart card that will be used to protect the key. The card must be inserted in the module's card reader. |
keypass |
Passphrase for the key in the keystore. Optional. Prompts if not defined. For Safenet, this parameter can be anything and will be ignored. For Thales, this must be the same value as the keystore password. |